Changes for page Development-SSL requests via https protocol

Last modified by Aaron Rosenzweig on 2012/03/19 19:33

From 46.1 to 47.1 From 54.1 to 55.1

From version 47.1

edited by Kieran Kelleher
on 2008/07/21 18:13

Change comment: There is no comment for this version

To version 54.1

edited by Pascal Robert
on 2012/01/27 09:14

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (3 modified, 0 added, 0 removed)

Details

Page properties

Title

@@ -1,1 +1,1 @@
--Web Applications-Development-SSL requests via https protocol
++Development-SSL requests via https protocol

Author

@@ -1,1 +1,1 @@
--XWiki.kieran
++XWiki.probert

Content

@@ -1,6 +1,6 @@
  == Introduction ==
--Sooner or later you will need to develop WebObjects applications that work with SSL requests over https protocol. If ssl is configured on your deployment server, you can probably just change http to https in the app entry URL and the app will probably just work over https protocol. However if your application requires security, you cannot just depend on your users typing in a URL that begins with https. Also since SSL encryption adds more load to the webserver, you may want decide that just some pages need to be returned securely over https and the rest returned via plain old http. In any case, you may want to or need to set up your local OS X development machine to support https protocol so that you can properly test your application. This article endeavors to do this in a concise way while referring to 3rd party sources where applicable. Note also that setting up ssl for testing can be a far simpler task (and not really secure) than setting up real authentic SSL certificates for use in a production server.
++Sooner or later you will need to develop WebObjects applications that work with SSL requests over https protocol. If ssl is configured on your deployment server, you can probably just change http to https in the app entry URL and the app will probably just work over https protocol. However if your application requires security, you cannot just depend on your users typing in a URL that begins with https. Also since SSL encryption adds more load to the webserver, you may want decide that just some pages need to be returned securely over https and the rest returned via plain old http. In any case, you may want to or need to set up your local OS X development machine to support https protocol so that you can properly test your application. Note also that setting up ssl for testing can be a far simpler task (and not really secure) than setting up real authentic SSL certificates for use in a production server.
  {{info title="Compatability"}}
@@ -15,6 +15,14 @@
  {{/info}}
++=== References ===
++
++* [[http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert]]
++* [[http://homepage.mac.com/kelleherk/iblog/C463983418/E683365024/index.html]]
++* [[http://www.macosxhints.com/article.php?story=20080628074917113]]
++* [[http://www.macosxhints.com/article.php?story=20041129143420344]]
++* [[http://developer.apple.com/internet/serverside/modssl.html]]
++
  == Development via Apache Webserver ==
  By default, WebObjects development installations typically run via DirectConnect. For https development, we must run thru the apache webserver built in to every OS X machine. So before going any further, configure your WebObjects development environment so that your development application launches and [[runs thru apache>>Development Tools-Running Through Apache]] using the host name "localhost".
@@ -43,7 +43,7 @@
  {{noformat}}
--bash-3.2# openssl req -new -x509 -nodes -out localhost_server.crt -keyout localhost_server.key
++bash-3.2# openssl req -days 3650 -new -x509 -nodes -out localhost_server.crt -keyout localhost_server.key
  Generating a 1024 bit RSA private key
  .........................++++++
@@ -77,17 +77,34 @@
  === Configure Apache2 to Use Your Development Certificates for localhost ===
--Using you favorite text editor, edit the apache2 config file at
--/etc/apache2/httpd.conf
++Using your favorite command line editor, edit the apache config file at
++**/etc/apache2/httpd.conf**
  making the changes shown in the following 2 screenshots:
--[[image:step1_servernamelocalhost.jpg]]
--  [[image:step2_includesslconfig.jpg]]
--&nbsp;
--Next edit the ssl config file itself making the changes shown in the following sceenshot:
--\\  [[image:step3_sslconfig.jpg]]
--\\Finally, restart apache
++{{panel title="Setting Apache server name to localhost"}}
++!step1_servernamelocalhost.jpg!
++
++{{/panel}}
++
++{{panel title="Including SSL Configuration file into main Apache config file"}}
++
++!step2_includesslconfig.jpg!
++
++{{/panel}}
++
++Next edit the ssl config file itself at
++**/etc/apache2/extra/httpd-ssl.conf**
++making the changes shown in the following sceenshot:
++
++{{panel title="Setting up the SSL Config file"}}
++
++!step3_sslconfig.jpg!
++
++{{/panel}}
++
++Restart apache
++
  {{noformat}}
  bash-3.2# apachectl graceful
@@ -94,6 +94,30 @@
  {{/noformat}}
++~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
++
++JEFF SCHMITZ
++
++Right at this point I got the error:
++
++ulimit: open files: cannot modify limit: Invalid arg
++
++After a quick google search I found this which seems to have fixed the error:
++
++[[http://www.perkiset.org/forum/all_things_apple/apache_osx_and_ulimit_a_little_chunk_of_weirdness-t909.0.html]]
++
++Also, for my [[https://]]... links my rewrite rules in apache weren't getting fired. &nbsp;To get them to work I had to add them to the httpd-ssl.conf file just below the General setup stuff shown in the figure above. &nbsp;I just copied them from my httpd.conf file and pasted them in. &nbsp;Not sure if this is the best way to handle it, but it's working for me on my development machine at least.
++
++~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
++
++Finally, verify that https is working:
++
++{{panel title="Verify https://localhost is working"}}
++
++!httpslocalhost2.jpg!
++
++{{/panel}}
++
  == Detecting SSL ==
  Code for detecting whether SSL is active for the current request:
@@ -120,3 +120,37 @@
  log.debug( "secure mode set to " + secureMode );
  {{/code}}
++
++== Using SSL in DirectConnect ==
++
++Mike Schrag said in early 2011 that it was possible to use SSL in DirectConnect, that is was simply hidden. A property was added to enable it, and instructions added to the Properties file of ERExtensions. This is the part from the Properties file:
++
++{{code}}
++
++
++## You should probably not enable any of these settings in a normal Apache webserver deployment,
++## in particular the ssl port property, as this is used by ERX to generate https URLs, which must
++## match your Apache config.
++##
++## To enable SSL support with DirectConnect, you must do the following:
++##
++## * In your Resources folder, run "keytool -genkey -alias WebObjects -keyalg RSA -keystore adaptorssl.key".  Select a
++##   password for your keystore (i.e. "changeit"), and set the "your first name and last name" field to match the hostname
++##   that you will be running your directconnect app off of.
++## * In your Resources folder, create an executable script (it MUST BE EXECUTABLE) named "adaptorsslpassphrase" with the
++##   contents:
++##   echo changeit
++##   where you should replace "changeit" for whatever password you selected in the previous step.
++## * Set the following property to true
++#er.extensions.ERXApplication.ssl.enabled=true
++
++## (optional) To specify an SSL host name other than what is returned from a call to
++## application.host(), you can override it below
++#er.extensions.ERXApplication.ssl.host=localhost
++
++## (optional) To select an SSL port other than 443, uncomment the following. If you are already running Apache with SSL,
++## you probably want to set this.  If the port number is 0, the SSL port will be automatically assigned (using the same
++## mechanism that WO uses to set the regular port)
++#er.extensions.ERXApplication.ssl.port=0
++
++{{/code}}

Changes for page Development-SSL requests via https protocol

Summary

Details

Applications

Navigation

My Recent Modifications

Need help?